Sau*_*ode 3 security nfs mount centos kerberos
我在 Centos 7 上有一个 nfs 服务器,它在 /etc/exports 文件中:
/export *(rw,sec=krb5p)
当我发出此命令时,它按预期成功挂载:
mount -t nfs -o sec=krb5p server.example.com:/export /mnt/export
它还成功挂载以响应此命令:
mount -t nfs server.example.com:/export /mnt/export
在这两种情况下,运行都findmnt表明正在使用 sec=krb5p 选项。在第二种情况下,该mount命令是否存在隐藏的默认值,或者客户端是否与 nfs 服务器通信并发现 sec=krb5p 是唯一允许的选项?
来自RHEL 7 文档:
sec=mode
Its default setting is sec=sys, which uses local UNIX UIDs and GIDs. These use
AUTH_SYS to authenticate NFS operations."
sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to
authenticate users.
sec=krb5i uses Kerberos V5 for user authentication and performs integrity
checking of NFS operations using secure checksums to prevent
data tampering.
sec=krb5p uses Kerberos V5 for user authentication, integrity checking,
and encrypts NFS traffic to prevent traffic sniffing. This is the most
secure setting, but it also involves the most performance overhead.
来自man nfs:
sec=flavor
The security flavor to use for accessing files on this
mount point. If the server does not support this fla?
vor, the mount operation fails. If sec= is not speci?
fied, the client attempts to find a security flavor that
both the client and the server supports. Valid flavors
are none, sys, krb5, krb5i, and krb5p. Refer to the
SECURITY CONSIDERATIONS section for details.
来自man mount_nfs:
sec=<mechanism>
Force a specific security mechanism to be used for the mount,
where mechanism is one of: krb5p, krb5i, krb5, or sys. When this
option is not given the security mechanism will be negotiated
transparently with the remote server.
| 归档时间: |
|
| 查看次数: |
4007 次 |
| 最近记录: |